In this tutorial, we’ll study software diversity. Initially, we’ll understand the motivations that lead to software diversity. Finally, we’ll investigate what is and how software diversity works.
2. Understanding the Motivations
Typically, if developers need to implement software that solves a specific problem, they get the team together, analyze the requirements, choose the programming tools, and create one software program that solves the problem.
The previously described scenario is the most common process to release new software in the market. However, mostly in complex software, there is much room for releasing software with some non-identified bugs and potential security problems.
In this way, having a single software implementation for solving a problem raises some concerns:
- If the software program fails for one user, it can fail for any other user that executes it under the same conditions
- If an attacker creates an attack taking advantage of an exploit of the software program, this attack may affect everyone using it
So, the question is: how can we attenuate the potential problems of a particular software implementation? The answer may be having different implementations for the same software, tackling the same challenges, attending to identical requirements, and providing the same correct results. In a simple way, we call this solution of software diversity.
3. Software Diversity
As stated in the previous section, software diversity consists of different software implementations that solve an identical problem. Software diversity is actually bio-diversity inspired. For example, many wing shapes allow birds to fly. However, some have some weaknesses when used in specific climate conditions, while others don’t.
The most relevant about code diversity is guaranteeing that given the same input, for each different implementation, the programs return the same output. So, in practice, all the implementations use the same data models for the inputs and outputs and provide the same set of operations. The following figure depicts the described scenario:
There are several techniques to achieve software diversity:
- Multi-vendor: the most straightforward technique but typically the most costly one. Three different programming teams receive the same project and execute it independently, generating three heterogeneous implementations of the same software
- Multi-compiler: a multi-compiler contains a diversification engine that can generate different binaries for the same source code. So, it allows the developers to load distinct plugins, rulesets, and configurations for executing each compiling of the source code
- Randomness: a technique by which programmers modify the behavior of program operations among its different implementations. It includes manipulating the memory loading, varying the order of instructions, and rearranging the basic blocks of a program
Moreover, there exists natural software diversity. It consists of using interchangeable resources to create different software implementations, for example, using different database management systems and even running the software program within distinct operating systems.
We can highlight two principal benefits of software variability: improvements in security and fault tolerance. In security, it avoids the complete dissemination of potential exploits and backdoors, isolating groups of software users affected by a security problem. In a fault tolerance scenario, software variability avoids a bug that crashes an entire dependable system (for instance, systems that use replication to mitigate byzantine faults).
In this tutorial, we studied software diversity. We can state that diversity is an efficient alternative to avoid catastrophic scenarios for released software programs, avoiding the complete dissemination of bugs and security problems.